ssh-keygen support for ssh-agent

Bolesław Tokarski boleslaw.tokarski at
Fri Apr 10 20:57:15 AEST 2015


I am in a PoC of setting up a SSH CA for the SSH host keys. The idea is to
add an SSH CA service that would generate SSH certificates for servers that
we install automatically. This way, we would be sure that if a server
presents itself with a certificate signed with the CA, it belongs to us,
and is no MitM.

I settled on a GnuPG smartcard to go with the SSH CA. This would secure the
private key material from remote attack, and the smartcard itself is
protected by a PIN. The smartcard is supported by, and it
works nicely with ssh authentication, with native ssh-agent with "ssh-add
-s", with gpg-agent's ssh agent support, and it neatly
generates SSH certificates with "ssh-keygen -D".

Now, my design assumed that the SSH CA would only require PIN entering on
its PIN-pad after, say, a reboot. ssh-agent works like this for ssh
authentication - it keeps the card open until it's removed or the machine
gets turned off. Unfortunately, ssh-keygen cannot currently utilize
ssh-agent for generating host certificates. It opens the smartcard with the
pkcs11 library on its own, requests the PIN for every signature, and closes
the card.

Of course, I could use a card reader that doesn't have a PIN-pad. I guess I
could issue "echo 1234 |ssh-keygen -D". Or I could totally
resign from using a smartcard. But then, the same happens if I use a
password-protected private key as the CA - I get prompted for the key
password on each run. All of those approaches are not ideal, to say the

What I need is a process that keeps the smartcard open, so that it's
possible to only enter the PIN once. This is done for ssh in ssh-agent.
Would it be possible to add ssh-agent support to ssh-keygen?

Best regards,
Bolesław Tokarski

More information about the openssh-unix-dev mailing list